Library tutorials & articles
Securing ASP Data Access
Enter the Metabase
To do what I am suggesting, you are going to need some handy tools. One of these is the Metabase Editor, or MetaEdit for short. This tool is generously provided by Microsoft, and comes included in the IIS Resource Kit. You can also download it from Microsoft at:
http://support.microsoft.com/support/kb/articles/Q232/0/68.ASP.
Do yourself a favor and read the knowledge base article if you haven't already. As the name implies, MetaEdit functions with the metabase much like our old friend RegEdit did with the registry. It also shares the same caveat, that you can do a considerable amount of damage with it. Before you face that risk, back up your metabase from the IIS management console, preferably several times. It is extremely important to do this when you are writing code that manipulates the metabase itself, because you will want to be able to undo any potentially bad changes it makes.
Once you have downloaded and installed MetaEdit on your web server, open it and take a look around. You'll see that the metabase has a tree structure, very similar to the registry, or even Active Directory. In fact, like Active Directory (or any LDAP database for that matter) the metabase has a schema. The schema defines all the data types that can be defined within the metabase, in which containers they are valid, and other vital information.
So, this is where we'll begin. You need to define data types that will store the username, password, and connection string for our database. If you were connecting to LDAP or Active Directory, you'd also need to create data types for these connections. There are three paths in which your new data type will be defined. These are each listed under the /Schema/Properties path, and are Defaults, Names, and Types. If you take a direct look at the values under these paths, you can see that they are almost impossible to understand, because much of the information is stored in binary. Fortunately, you can extend the schema via the ADSI, or Active Directory Services Interface, a COM object API that allows us to interact with the metabase, as well as other directory structures. Through ADSI, we can use VBScript or ASP to bind to the metabase and define our values.
Older versions of Windows NT4.0 may not have the ADSI installed. If this is the case on your server, you can download it from Microsoft from the following URL:
http://www.microsoft.com/NTWorkstation/downloads/Other/ADSI25.asp
I have been working in IT since 1993. I founded CarpeDiem Business Internet Systems in 1995. In 2000 we incroporated and took on two partners. Its really a grat lot of fun, and I enjoy working on t...
Related articles
Related discussion
-
Read eMails from Outlook express using ASP
by kumaravelu (1 replies)
-
Help to Call ASP function from onclick event in HTML to pass an array
by vka (0 replies)
-
Binary Studio | software development outsourcing Ukraine
by shane124 (4 replies)
-
Variable In Vb.Net
by chia (0 replies)
-
ideas in building a captive portal
by sjranjan (2 replies)
Related podcasts
-
Scott Guthrie
Scott catches up with Scott Guthrie in an interview covering Ajax, Asp 2.0, extender controls, CSS adapters and more.
Very impressive.
Having been battling with ASP database security it is nice to know the solution is out there although it is still quite worrying that database security is quite so vunerable without going to these extremes.
Thanks.
Tom.
Very impressive.
Having been battling with ASP database security it is nice to know the solution is out there although it is still quite worrying that database security is quite so vunerable without going to these extremes.
Thanks.
Tom.
This thread is for discussions of Securing ASP Data Access.